Spooking the C-Suite: The Ephemeral Specter of Third-Party Cyber-Risk

If data breaches were a film genre, third-party cyber-risk would be the talk of producers and casting agents; it's where the money is. Like a relentless killer who cannot seem to be destroyed, third-party breach scenarios dominate the headlines. The scares are all different — compromised health records, weapons designs, or automakers' trade secrets — but the plot is the same: leaked and stolen files via compromised contractors, supply chains, or business partners.

From my vantage point counseling senior executives on cyber-risk management, it is easy to see why the ephemeral specter of third-party cyber-risk haunts the C-suite. It's because when you're operating in your company's own familiar environment, you often miss the warning signs of danger lurking — until something hits you. Leaders complain they can spend untold sums and time ratcheting down their company's internal security measures only to see their data and reputation suffer the consequences of errors and carelessness at other companies, seemingly out of their control.

Let's break down a few third-party breach tropes and how to confront them:

The Partner You Don't Know

Photo Credit: "Creature from the Black Lagoon", Public Domain, from the Florida Memory Project hosted at the State Archive of Florida.

Just as the Creature from the Black Lagoon terrified boaters who stumbled onto his turf, many companies don't learn of a third-party's privileged access until a breach flops onto the deck and begins costly disruptions. Given how technology and business forces constantly evolve, it is very easy to overlook business partners who have accumulated through decentralized and delegated sourcing, M&A, and other shifts.

The best way to avoid a terrifying Halloween surprise (or any other time of year, for that matter) is to create cross-functional vendor management teams including sales, development, and marketing. These overseers can interface with both the chief information security officer's (CISO) organization and other stakeholders, like the CFO. This will maintain an updated, central radar screen of third-party relationships to ensure that security, financial, and other controls are all evenly applied.

The Trusted Partner Who Proves to Be RiskyDr. Jekyll probably aced his security interviews and contract negotiations. After all, he's a scientist! But what oversight mechanism kicks in when a company you trust one minute becomes the equivalent of Mr. Hyde the next?

The solution requires more than annual audits, one-time compliance checks, or the threat of litigation. It's better for companies to configure alerts that fire on the names of IP and business partners whose names turn up on the Dark Web, paste sites, or the wider cybercrime underground. Often, the first occurrence of breached data offers telltale indicators of whether the material was targeted directly, or spilled out of a larger third-party breach. Early-warning measures like these help minimize needless exposure by helping find and remedy vulnerable systems.

The Promise and Peril of New Technology FrontiersDr. Frankenstein thought he could make death obsolete. In Event Horizon and Ex Machina, brilliant minds create new technologies that are awe-inspiring at first — but soon reveal terrifying, unintended consequences. Protagonists begin these films coolly and seemingly in control of technology that pushes boundaries but end up with more than they bargained for, and a total loss of control.

Today's ubiquitous third-party data breaches fortunately do not cause loss of life or the rise of sentient machines. However, many a company has rushed to embed a hot new service provider's remarkable technology without necessarily realizing or weighing the inherent risk being shouldered in the process. For example, companies that turned to a popular online chat tool, including Best Buy, Sears, and Delta Airlines, were affected when the high-profile, category-defining vendor behind the chat platform was hit with malware.

In fairness, any outsourced technology can be breached — not only those of hot, emerging startups. But this underscores the point that companies need to follow the trail to see where their data goes and "who" has access to "what." While it's unrealistic to expect a customer service leader to know her or his company's entire risk appetite, it underscores the need to have cross-functional team-based approaches to sourcing and major investments in any new technology partner — particularly those running code on your site or in your product.

The CliffhangerTHE END… or is it? When the 3:00 a.m. phone calls, harried email threads, tired spokespeople, and empty takeout containers subside after an exhausting data breach response, employees feel partially relieved. Yet they are also wary of "What else is out there?" This is akin to how our heroes feel after they finally destroy the last alien or zombie — right before the camera pans to an egg or one more infected person right before the credits roll. Hollywood and merchandisers love to set things up for a sequel, but executives and CISOs would be doomed to failure if they find themselves trapped in a reboot of the same breach screenplay six months later.

After every third-party breach affecting their business or a peer company, security leaders need to take stock of what happened, and study precursor activities or preconditions that allowed excessive risk to go unchecked. In some cases, attackers might have been remarkably lucky, or the root cause could be the result of unimaginable oversights in vendor behavior and decision-making.

It is true no organization can find everything that might be lurking in the night to do them harm. But taking a deeper look at these telling patterns can equip security professionals to speak up when they start hearing familiar assumptions and clichés from scripts they have seen too many times before.

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brandon Dobrec has dedicated his career to cybersecurity, particularly to delivering the comprehensive threat data, intelligence, and tools required for organizations to minimize their business risk. Since joining LookingGlass in September 2016, Brandon has served as an ... View Full Bio

This article does a great job describing the problem. Unfortunately, however, the discussion of potential solutions fails to point to the real problem: lack of resources. While the concept of creating cross organizational monitoring teams and the idea of darknet vigilance do make sense in theory, they don't reflect the reality, where the number of third-party data exchanges are far beyond what organizations can handle. A crucial piece of tackling the third-party risk problem is a platform that not only collects information about your third-party risks, but also points out areas that require attention or present challenges to your organization.

On the privacy front, we saw this happen recently in Toronto when privacy expert Ann Cavoukian resigned her position from a major Smart Cities renovation project by Sidewalk Labs (an Alphabet subsidiary / Google sister company). Upon hearing that the assurances that data would always be anonymized at the source could no longer be assured when it came to outsiders working with a third party that commissioned Sidewalk Labs for the project (Waterfront Toronto), Cavoukian reportedly quit right then and there.

By the way, you probably misused the word Ephemeral in your title. Maybe you meant to use the word "Eternal", because "Ephemeral" means "very short-lived", and in fact, as long as a company has third-party vendors, the potential for risk never ends.

Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.

An exploitable vulnerability exists in the verified boot protection of the Das U-Boot from version 2013.07-rc1 to 2014.07-rc2. The affected versions lack proper FIT signature enforcement, which allows an attacker to bypass U-Boot's verified boot and execute an unsigned kernel, embedded in a legacy i...